It's more like some endpoints are 95% secure whereas cloudflare flexible ssl is 5% secure. Conflating those as "not 100%" is far more misleading than rounding them off to "secure" and "not secure". If https:// doesn't mean traffic is encrypted as it passes over the public internet then it means nothing, and that's what happens when you use cloudflare.
Those comments are saying that because the last hop (Cloudflare → Github) will still be unencrypted. You may disagree that it doesn't make it insecure, but that doesn't mean they're uninformed.
The FULL option in fact requires HTTPS even for the last hop. It just accepts any certificate which isn't as good as only accepting a valid certificate. But the last hop doesn't have to be clear-text any more.
How do I do that with GitHub pages? In my case (glowing-bear.org), I'd like to tell Cloudflare to accept valid certificates for glowing-bear.github.io (or * .github.io) because that's the origin certificate. But I haven't found an option to do so.
Github has no provision for this. So it's more a Github issue than a Cloudflare one. The latter has the Full (but not strict) SSL option for precisely this situation, which is arguably better than going with Flexible SSL.
Right, but if someone can snoop the connection between Cloudflare and your server, chances are they are in control of some intermediate machine and can MITM, injecting their own self-signed cert.
